Introduction To Container Technology
2y ago
35 Views
1 Downloads
2.13 MB
36 Pages
Report/dmca
Download PDF

Transcription

Introduction to ContainerTechnologyPatrick LaddTechnical Account ManagerApril 13, 2016

Container Technology

Containers 3"Linux Containers" is a Linux kernel feature to contain a group of processes in anindependent execution environment.Linux kernel provides an independent application execution environment for eachcontainer including: Independent filesystem Independent network interface and IP address. Usage limit for memory and CPU time.Linux containers are realized with integrating many existing Linux features. Thereare multiple container management tools such as lxctools, libvirt and docker.They may use different parts of these features.

Container History42005:FULL RELEASE OFSOLARIS ZONES2007:GPC RENAMEDCONTROL GROUPS2015:RHEL ATOMIC HOST2008:KERNEL AND USERNAMESPACES2013:RED HATENTERPRISE LINUX2015:RHT CONTAINERPLATFORMS2013:DOT CLOUD PYCONLIGHTNING TALK2014:GOOGLEKUBERNETES2015:STANDARDS VIA OCIAND CNCF201520002001:LINUX -VSERVERPROJECT2006:GENERIC PROCESSCONTAINERS2013:DOTCLOUDBECOMES DOCKER20102003:SELINUX ADDED TOLINUX MAINLINE20052000:JAILS ADDEDTO FREEBSD2008:LINUX CONTAINERPROJECT (LXC)

CONTAINERSVIRTUALIZATION

TRADITIONAL OSCONTAINERS

Underlying TechnologyEnabling Technology in Linux has been present for many years 7Namespaces Process Network Filesystem User IPC UTS (UNIX Technology Services) cgroups - Control Groups Union (overlay) Filesystems

Namespaces

Process Namespaces1Original UNIX Process Tree First process is PID 1 Process tree rooted at PID 1 PIDs with appropriate privilege mayinspect or kill other processes in thetree2345,1Linux Namespaces Multiple, nested process trees Nested trees cannot see parent tree Process has multiple PIDs 9One for each namespace it is amember of6,28,4,19,5,210,6,37,3

Network NamespacesPresents an entirely separate set of networkinterfaces to each namespace All interfaces including loopback arevirtualizedEthernet bridges may be created ip link add name veth0 typeveth peer name veth1 netns pid Routing process in global namespace toroute packetsGlobal NamespaceChild net namespacePHYSINTFRoutingProcessVIRTChild net namespaceVIRTOriginal Namespace:1: lo: LOOPBACK,UP,LOWER UP mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group defaultlink/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:002: enp4s0: BROADCAST,MULTICAST,UP,LOWER UP mtu 1500 qdisc pfifo fast state UP mode DEFAULT group default qlen 1000link/ether 00:24:8c:a1:ac:e7 brd ff:ff:ff:ff:ff:ffNew Namespace:1: lo: LOOPBACK mtu 65536 qdisc noop state DOWN mode DEFAULT group defaultlink/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:0010

Filesystem NamespacesClone / Replace list of mounted filesystems 11Similar to chrootAllows isolation of all mount points, not justrootAtrributes can be changed betweennamespaces (read only, for instance)Used properly, avoids exposing anythingabout underlying system

User NamespacesReplace / Extend UID / GID 12Delete unneeded UID / GID from containerAdd / change UID / GID map insidecontainerUse: root privilege in container, userprivilege in base OS

IPC NamespacesSimilar to network namespaces 13Separate interprocess communicationsresources Sys V IPC POSIX messaging

UTS NamespacesUTS : UNIX Technology Services 14Change inside container: Hostname Domain

Feature availability15 Filesystem separation Mount namespace (kernel 2.4.19) Hostname separation UTS namespace (kernel 2.6.19) IPC separation IPC namespace (kernel 2.6.19) User (UID/GID) separation User namespace (kernel 2.6.23 〜 kernel 3.8) Processtable separation PID namespace (kernel 2.6.24) Network separation Network Namespace (kernel 2.6.24) Usage limit of CPU/Memory Control groups

Namespaces SummaryIsolation / Modification of Container processes from host PIDs Network Filesystems UID/GID IPC Hostname / DomainSee documentation on clone() system call for more complete details on functionality(Warning: systems programmer jargon territory)16

cgroups

cgroups Way to allocate resources to processes running on a system Hierarchical and can be dynamically added, changed and removed Made up of several subsystems also called Resource Controllers Part of RHEL 6 & 7 Kernel Upstream since 2.6.24 You must install userspace tools 18Install libcgroup

19

20

Resource Controllers cpu — this subsystem uses the scheduler to provide cgroup tasks access to the CPU.cpuacct — this subsystem generates automatic reports on CPU resources used bytasks in a cgroup.cpuset — this subsystem assigns individual CPUs (on a multicore system) and memorynodes to tasks in a cgroup. devices — this subsystem allows or denies access to devices by tasks in a cgroup. freezer — this subsystem suspends or resumes tasks in a cgroup. 21blkio — this subsystem sets limits on input/output access to and from block devicessuch as physical drives (disk, solid state, USB, etc.).memory — this subsystem sets limits on memory use by tasks in a cgroup, andgenerates automatic reports on memory resources used by those tasks.net cls — this subsystem tags network packets with a class identifier (classid) thatallows the Linux traffic controller ( tc) to identify packets originating from a particularcgroup task.net prio — this subsystem provides a way to dynamically set the priority of networktraffic per network interface.ns — the namespace subsystem.

Union (overlay) Filesystems

Union Filesystems23 Stacked / Layered Storage Copy on write Many available underlying implementations Aufs OverlayFS btrfs LVM Device mapper

Container Security

CONTAINERS ARE NOTSECURE BY DEFAULT6 MISCONCEPTIONS ABOUT CONTAINERS

Container SecurityISOLATION OFHOSTSARE SOURCESTRUSTED?WHAT’S INSIDECONTAINERSTRUST ISTEMPORALHost OS SELinuxmaintained by trustedkernel engineers andfrequently updated.36% of Docker Hubofficial images containhigh priority securityvulnerabilities.*Red Hat Black Duck secure, trustedmodel for validatingcontainer contents.New vulnerabilities areidentified daily andcontainers becomestale over time.*Source: Over 30% of Official Images in Docker Hub Contain High Priority Security Vulnerabilities, Jayanth Gummaraju, Tarun Desikan,and Yoshio Turner, BanyanOps, May 2015 ockerHub-WhitePaper.pdf)26

Container Isolation with EOSOSHOST SERVICESELINUXSHAREDSERVICESELINUX

Red Hat Container Technology 28Stock Red Hat Enterprise Linux (“RHEL”) Full OS image Docker packages added All combinations of useRed Hat Enterprise Linux Atomic Host (“Atomic”) Stripped down OS image Pre-installed docker packages Only for container deployment Limited additional packages Different upgrade / update process (no yum) Optimized settings for container deployment Separate subscription from RHEL subscription

Atomic Formats 29Multiple environments available Cloud image (qcow2) RHEV (ova) Hyper-V (vhd) vSphere (ova) Installer (iso)

Installing Atomic on kvm Create overlay of imageqemu-img create -f qcow2 -obacking file rhel-atomic-cloud-7.212.x86 64.rhevm.qcow2 atomic-instance0.qcow2 Set up VM Customize VM startup 30meta-data & user-data files Host IP addresses Login credentialsStart VM

Register & Update Atomic Register Atomicsubscription-manager register –username myidsubscription-manager attachsubscription-manager list Upgrade Atomicatomic host upgrade Atomic upgrade statusatomic host status Recover from failed upgradeatomic host rollback31

Using Docker Getting helpdocker --help Information on docker installdocker infodocker network ls32

Using Docker Images Download an imagedocker pull rhel7:latest Modify Dockerfile Update MAINTAINERBuild imagedocker build -t webserver . Show imagesdocker images Remove an imagedocker rmi myimage Show all imagesdocker images -a33

Using Containers Start a containerdocker run -d -p 80:80 --name myweb webserver Change content Start another containerdocker run -d -p 80:80 --name myweb webserver List containersdocker ps Stop containerdocker stop myimage Restart containerdocker restart myimage Remove containerdocker rm myimage34

Reference Materials 35Atomic on/en/red-hat-enterprise-linux-atomic-host?version 7/Atomic t/271/ver /rhel---7/7.2.2-2/x86 64/product-software

THANK YOUplus.google.com/ tVideos

3 Containers "Linux Containers" is a Linux kernel feature to contain a group of processes in an independent execution environment. Linux kernel provides an independent application execution environment for each container including: Independent filesystem Independent network interface and IP address. Usage limit for

Related Books

Protecting Containerized Applications with Veritas NetBackup

Protecting Containerized Applications with Veritas NetBackup

Universal Base Image Red Hat Enterprise Linux 8

Universal Base Image Red Hat Enterprise Linux 8

Qlik Sense Enterprise security overview - Infovara

Qlik Sense Enterprise security overview - Infovara

Beyond ETL: Next Generation Data Integration Architectures .

Beyond ETL: Next Generation Data Integration Architectures .

SCAC CODES::

SCAC CODES::

BRANDING RESOURCES - Lucky Break Consulting

BRANDING RESOURCES - Lucky Break Consulting

Freight containers Container equipment data exchange .

Freight containers Container equipment data exchange .

Using Intralinks VIA with MobileIron

Using Intralinks VIA with MobileIron

Mirantis Container Cloud Reference Architecture

Mirantis Container Cloud Reference Architecture

Intel Select Solutions for Red Hat OpenShift Container .

Intel Select Solutions for Red Hat OpenShift Container .

UK Government EUD Guidance Whitepaper

UK Government EUD Guidance Whitepaper

PopularTags

Recent Views